It Looks Random, Because It Is

A typical CipherSend link looks like this: https://ciphersend.com/secret/8f3b2c1a-9e4d-4a5b-8c7d-1e2f3a4b5c6d

That string of characters at the end isn't just a random jumble—it's a UUID (Universally Unique Identifier) or a high-entropy token.

Why Length Matters

If we used short IDs like abc, an attacker could write a script to try ciphersend.com/secret/aaa, .../aab, etc., and eventually find a valid secret.

By using long, complex tokens, the "search space" becomes astronomically large. It would take more energy than exists in the solar system to brute-force guess a valid ID before the sun burns out.

The "Fragment" Identifier

For our client-side encryption, we use the URL fragment (the part after the #). https://ciphersend.com/secret/TOKEN#DECRYPTION_KEY

Crucial Detail: Browsers do not send the fragment to the server.

• The server sees: GET /secret/TOKEN
• The browser sees: ...#DECRYPTION_KEY

This clever usage of web standards ensures that the server can serve the encrypted data (found by the TOKEN) but physically cannot decrypt it because it never receives the KEY.

Conclusion

Security isn't magic; it's math and architecture. By understanding how the URL is constructed, you can trust the system not because we say so, but because the design proves it.